Michaels Breach Lawsuits DismissedJudge Rules Retailer Doesn't Owe Damages to Consumers
A district court in Illinois has dismissed a consolidated consumer class action lawsuit seeking damages from Michaels Stores Inc. for a card breach the arts and crafts retailer suffered starting in 2013.
See Also: HIPAA Audits: A Revised Game Plan
In a 20-page ruling, U.S. District Judge Elaine Bucklo says the six plaintiffs named in the consolidated suits failed to prove that they suffered "actual economic damage" as a result of using their credit and debit cards at Michaels during the time of the breach.
In April, the arts and crafts retailer confirmed its stores were hit by a data breach that potentially compromised account information for 3 million payment cards between May 2013 and Feb. 2014.
Michaels operates 1,262 stores under the Michaels and Aaron Brothers brands in 49 states and Canada. Last year, the company reported $4.6 billion in sales revenue.
Bucklo says the suits failed to show that consumers suffered monetary losses as a result of the breach. "Plaintiffs allegedly suffered 'monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charged to their accounts.' This allegation is entirely conclusory," Bucklo says.
Security experts say class action lawsuits filed by consumers in the wake of card breaches are increasingly dismissed by U.S. courts. "The fundamental challenge for every one of these cases ... is proving that harm occurred as a result of the breach," says Al Pascual, a financial fraud expert and lead analyst at consultancy Javelin Strategy & Research. "Establishing a one-to-one relationship between breached data and fraud is a challenge for qualified professionals, and it is an impossibly high bar to set for plaintiffs to meet."
Tough to Make Connection
With so many breaches of card data, it's difficult to tether fraudulent activity to one particular breach. In fact, one breach attorney says consumer class-action suits, such as those filed against Michaels and restaurant chain P.F. Chang's, are "dead in the water" (see Breach Suit Filed Against P.F. Chang's).
"It's the same old claims dismissed for the same old reasons," says the attorney, who asked not to be named. "Throw another consumer data breach case on the scrap heap. Unless and until Congress enacts a comprehensive data breach statute, the basic consumer cases will go nowhere. They are D.O.A. [dead on arrival], unless a retailer wants to voluntarily settle to buy street cred in the marketplace in the eyes of consumers. Apparently, Michael's did not."
And because U.S. consumers, as required under Regulation E, are reimbursed by their banking institutions for financial losses that result from fraud, class-action claims seeking damages against retailers have not been well-received by the courts.
Regulation E protects consumers when they use electronic fund transfers, including debit and credit payments at the point of sale. If those payments have not been authorized by the cardholder and are found to be fraudulent, the issuing banking institution is obligated to provide a refund to the customer.
"Since consumers are reimbursed by their financial institution, it seems unreasonable that they would claim the merchant should also bear liability to reimburse them," says Shirley Inscoe, a senior analyst and financial fraud expert at the consultancy Aite. "In almost all cases of data breaches, the retailers offer identity theft monitoring for a year, which seems to have established a standard by now that is accepted by most consumers."
At some point, consumer class-action suits will start to seem frivolous, Inscoe adds.
Reasons for Dismissal
In the Michaels suits, the plaintiffs claimed the breach exposed them to an "elevated risk of identity theft and costs associated with protecting themselves against this risk." As a result, they argued Michaels should award the exposed consumers damages.
In her ruling, Bucklo found that the plaintiffs did face elevated risk because of the Michaels breach. But she dismissed the case because the plaintiffs failed to prove, as is required under Illinois' laws of breach of contract and consumer fraud, that they suffered actual monetary damages.
Variations in state laws regarding breach notification and recovery hinder most class-action cases, says Jennifer Rathburn, a cybersecurity attorney and partner at Milwaukee law firm Quarles & Brady LLP.
"They've really all kind of fallen flat or settled," Rathburn says. "It's hard, because we don't know how all of the courts are going to deal with these types of cases. What's interesting is how consumers are bringing the class action claims and what the state law says you need to prove, because it varies from state-to-state."
Pascual says because the U.S. has no national breach law, consumer lawsuits related to breaches face numerous challenges. "Until greater liability is codified via legislation, these class action cases will continue to prove unfruitful for affected consumers who choose to pursue a legal remedy," he says.
Class action suits that claim consumers should be awarded damages for breaches that merely put them at increased risk of identity theft or fraud have been successful in some cases, says cybersecurity attorney David Navetta, co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. But in the Michaels case, they failed because of the Illinois requirements, he adds.
"The plaintiffs still could not adequately allege damages here without establishing any identity theft, even if they actually paid for credit monitoring services," Navetta says. "It is tough sledding for these claims without identity theft."